pjfanning commented on code in PR #1027:
URL: https://github.com/apache/poi/pull/1027#discussion_r2895314951
##########
poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveThresholdInputStream.java:
##########
@@ -120,6 +121,17 @@ private void checkThreshold() throws IOException {
rawSize = 0;
}
+ // If available, read compressed size via
ZipArchiveEntry.getCompressedSize() which takes
+ // data from the Zip central directory header. This is because the
ZipArchiveInputStream
+ // "may return unknown sizes and CRC values for entries until the next
entry has been
+ // reached if the archive uses the data descriptor feature."
+ if (entry != null) {
Review Comment:
I don't like this - I prefer to get the real size from that stats object as
opposed to trusting a possibly spoofed size value in the zip file.
I don't want a CVE and we will get one if this is merged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
